Service
Service Analysis in Incident Response (Linux Systems)
Services in Linux play a vital role in the system's operation. Attackers often exploit this functionality to maintain persistence, allowing them to regain access after system reboots. Here's a comprehensive guide to detecting and analyzing malicious services during incident response.
Key Concepts of Linux Services
Service Status Types:
Active (running): Service is currently running.
Active (exited): Service has completed its task and exited.
Active (waiting): Service is running, waiting for a trigger.
Inactive: Service is not running.
Enabled: Configured to start at boot.
Disabled: Will not start automatically at boot.
1. Listing and Investigating Services
Using service Command
service --status-allLists all available services along with their status.
Using systemctl Command
systemctl list-units --type=serviceLists currently loaded services with their statuses.
List All Enabled Services (Startup Services)
systemctl list-unit-files --type=service | grep enabled2. Identifying Suspicious or Unknown Services
Attackers often create services with inconspicuous names or names similar to legitimate services (e.g., cron_service vs. cron).
Search for Specific Services
If you suspect a service:
sudo systemctl status SERVICE_NAMEThis shows:
Service status.
Executable path.
Recent logs.
Inspect the Service’s Unit File
cat /lib/systemd/system/SERVICE_NAME.serviceLook for:
ExecStart: Path to the executable/script that starts the service.
Restart: Conditions under which the service restarts.
Environment: Variables passed to the service.
Analyze the Unit File Modification Details
stat /lib/systemd/system/SERVICE_NAME.serviceModified Time: Can indicate unauthorized changes.
Access Time: Shows when it was last accessed.
3. Review Historical and Real-Time Logs
Logs can reveal service creation, modifications, and executions.
Analyze System Logs
To check for service-related logs:
sudo journalctl | grep serviceReview Logs for a Specific Service
sudo journalctl -u SERVICE_NAMEUse time filters for more targeted analysis:
sudo journalctl -u SERVICE_NAME --since "2023-11-10" --until "2023-11-13"Check Logs for All Activities in a Time Range
sudo journalctl --since "2023-11-10 00:00" --until "2023-11-13 23:59"4. Investigate and Isolate Suspicious Services
Check Service Dependencies
Some malicious services rely on other services or scripts:
systemctl list-dependencies SERVICE_NAMEInspect Processes Started by the Service
ps aux | grep <PID>Find and analyze processes associated with the service's PID.
5. Remediation: Stopping and Removing Malicious Services
1. Stop the Service
Prevent it from running:
sudo systemctl stop SERVICE_NAME2. Disable the Service
Prevent it from starting on boot:
sudo systemctl disable SERVICE_NAME3. Delete the Service File
Remove the service configuration:
sudo rm /lib/systemd/system/SERVICE_NAME.service4. Reload Daemon to Apply Changes
sudo systemctl daemon-reload5. Verify Removal
Ensure the service no longer exists:
systemctl list-units --type=service | grep SERVICE_NAME6. Post-Incident Actions
Review Recent Changes:
Use
findto list recently modified files:find /etc/systemd/system/ -type f -mtime -5
Reinforce Access Controls:
Restrict who can create or modify services.
Enable File Integrity Monitoring:
Use tools like Tripwire or AIDE to monitor system files for changes.
Regular Audits:
Periodically review service configurations and logs for anomalies.
Key Points
Linux services are a common vector for attackers aiming to maintain persistence. By analyzing service configurations, system logs, and active processes, incident responders can uncover and mitigate malicious activities. Proper eradication of malicious services ensures that attackers cannot re-establish control, securing the system against further exploitation.
Last updated